KASAN reports invalid load access while flushing ext2 superblock on RISC-V

[spholz]

This doesn't happen on x86-64 for some reason.

Kernel log:

21.697 [init_stage2(1:1)]: Ext2FS: super block magic: ef53 (super block size: 1024)
21.703 [init_stage2(1:1)]: Ext2FS: 149504 inodes, 517924 blocks
21.708 [init_stage2(1:1)]: Ext2FS: Block size: 4096
21.712 [init_stage2(1:1)]: Ext2FS: First data block: 0
21.716 [init_stage2(1:1)]: Ext2FS: Inodes per block: 16
21.721 [init_stage2(1:1)]: Ext2FS: Inodes per group: 9344
21.725 [init_stage2(1:1)]: Ext2FS: Free inodes: 130622
21.729 [init_stage2(1:1)]: Ext2FS: Descriptors per block: 128
21.734 [init_stage2(1:1)]: Ext2FS: Descriptor size: 32
22.372 [#0 init_stage2(1:1)]: BlockBasedFileSystem::read_block 1
22.381 [#0 init_stage2(1:1)]: Ext2FS: group[1] ( block_bitmap: 112, inode_bitmap: 113, inode_table: 114 )
22.385 [#0 init_stage2(1:1)]: Ext2FS: group[2] ( block_bitmap: 32880, inode_bitmap: 32881, inode_table: 32882 )
22.389 [#0 init_stage2(1:1)]: Ext2FS: group[3] ( block_bitmap: 65536, inode_bitmap: 65537, inode_table: 65538 )
22.393 [#0 init_stage2(1:1)]: Ext2FS: group[4] ( block_bitmap: 98416, inode_bitmap: 98417, inode_table: 98418 )
22.397 [#0 init_stage2(1:1)]: Ext2FS: group[5] ( block_bitmap: 131072, inode_bitmap: 131073, inode_table: 131074 )
22.401 [#0 init_stage2(1:1)]: Ext2FS: group[6] ( block_bitmap: 163952, inode_bitmap: 163953, inode_table: 163954 )
22.405 [#0 init_stage2(1:1)]: Ext2FS: group[7] ( block_bitmap: 196608, inode_bitmap: 196609, inode_table: 196610 )
22.409 [#0 init_stage2(1:1)]: Ext2FS: group[8] ( block_bitmap: 229488, inode_bitmap: 229489, inode_table: 229490 )
22.414 [#0 init_stage2(1:1)]: Ext2FS: group[9] ( block_bitmap: 262144, inode_bitmap: 262145, inode_table: 262146 )
22.418 [#0 init_stage2(1:1)]: Ext2FS: group[10] ( block_bitmap: 295024, inode_bitmap: 295025, inode_table: 295026 )
22.422 [#0 init_stage2(1:1)]: Ext2FS: group[11] ( block_bitmap: 327680, inode_bitmap: 327681, inode_table: 327682 )
22.426 [#0 init_stage2(1:1)]: Ext2FS: group[12] ( block_bitmap: 360448, inode_bitmap: 360449, inode_table: 360450 )
22.431 [#0 init_stage2(1:1)]: Ext2FS: group[13] ( block_bitmap: 393216, inode_bitmap: 393217, inode_table: 393218 )
22.435 [#0 init_stage2(1:1)]: Ext2FS: group[14] ( block_bitmap: 425984, inode_bitmap: 425985, inode_table: 425986 )
22.439 [#0 init_stage2(1:1)]: Ext2FS: group[15] ( block_bitmap: 458752, inode_bitmap: 458753, inode_table: 458754 )
22.444 [#0 init_stage2(1:1)]: Ext2FS: group[16] ( block_bitmap: 491520, inode_bitmap: 491521, inode_table: 491522 )
22.452 [#0 init_stage2(1:1)]: BlockBasedFileSystem::read_block 114
22.458 [init_stage2(1:1)]: Ext2FS: Mount successful, setting superblock to error state.
22.472 [#0 init_stage2(1:1)]: Writing superblock backup to block group 2 (block 32768)
22.476 [#0 init_stage2(1:1)]: BlockBasedFileSystem::write_blocks 32768, count=1
22.476 [#0 init_stage2(1:1)]: BlockBasedFileSystem::write_block 32768, size=4096
[init_stage2(1:1)]: KASAN: Invalid 1-byte Load access to V0x00000020021537d8, which is marked as 'Malloc Redzone' [at 0x0000002000679e92]
[init_stage2(1:1)]: Kernel + 0x000000000073e44e  Kernel::AddressSanitizer::print_violation(unsigned long, unsigned long, Kernel::AddressSanitizer::AccessType, Kernel::AddressSanitizer::ShadowType, void*) +0x94
[init_stage2(1:1)]: Kernel + 0x000000000073e5f0  Kernel::AddressSanitizer::shadow_va_check(unsigned long, unsigned long, Kernel::AddressSanitizer::AccessType, void*) +0x130
[init_stage2(1:1)]: Kernel + 0x000000000073e662  __asan_load1_noabort +0x12
[init_stage2(1:1)]: Kernel + 0x0000000000679e92  memcpy +0x78
[init_stage2(1:1)]: Kernel + 0x0000000000686b58  Kernel::UserOrKernelBuffer::read(void*, unsigned long, unsigned long) const +0x1b4
[init_stage2(1:1)]: Kernel + 0x00000000000f4d48  Kernel::UserOrKernelBuffer::read(void*, unsigned long) const +0x4e
[init_stage2(1:1)]: Kernel + 0x00000000003624a4  Kernel::UserOrKernelBuffer::read(AK::Span<unsigned char>) const +0x70
[init_stage2(1:1)]: Kernel + 0x00000000003619f2  Kernel::BlockBasedFileSystem::write_block(AK::DistinctNumeric<unsigned long, Kernel::__BlockIndex_tag, AK::DistinctNumericFeature::Comparison, AK::DistinctNumericFeature::CastToBool>, Kernel::UserOrKernelBuffer const&, unsigned long, unsigned long, bool) +0x1bc
[init_stage2(1:1)]: Kernel + 0x0000000000362090  Kernel::BlockBasedFileSystem::write_blocks(AK::DistinctNumeric<unsigned long, Kernel::__BlockIndex_tag, AK::DistinctNumericFeature::Comparison, AK::DistinctNumericFeature::CastToBool>, unsigned int, Kernel::UserOrKernelBuffer const&, bool) +0x322
[init_stage2(1:1)]: Kernel + 0x0000000000392454  Kernel::Ext2FS::flush_super_block() +0x560
[init_stage2(1:1)]: Kernel + 0x000000000039cbc8  Kernel::Ext2FS::initialize_while_locked() +0x1c06
[init_stage2(1:1)]: Kernel + 0x000000000041b438  Kernel::FileBackedFileSystem::initialize() +0x14e
[init_stage2(1:1)]: Kernel + 0x000000000057e73c  Kernel::create_and_initialize_filesystem_from_mount_file_and_description(AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node>&, Kernel::MountFile&, Kernel::OpenFileDescription&) +0x71e
[init_stage2(1:1)]: Kernel + 0x00000000005818d2  AK::ErrorOr<AK::NonnullRefPtr<Kernel::FileBackedFileSystem>, AK::Error> Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&)::{lambda(auto:1&)#1}::operator()<AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node> >(AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node>&) const +0xa8
[init_stage2(1:1)]: Kernel + 0x0000000000581d20  decltype(auto) Kernel::MutexProtected<AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node> >::with_exclusive<Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&)::{lambda(auto:1&)#1}>(Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&)::{lambda(auto:1&)#1}, Kernel::LockLocation const&) +0xbc
[init_stage2(1:1)]: Kernel + 0x0000000000581e40  Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&) +0x6c
[init_stage2(1:1)]: Kernel + 0x000000000033b288  Kernel::StorageManagement::create_first_vfs_root_context() const +0x32e
[init_stage2(1:1)]: Kernel + 0x000000000000151e  Kernel::init_stage2(void*) +0xce0
[init_stage2(1:1)]: Kernel + 0x00000000000176e8  exit_kernel_thread +0x0
[init_stage2(1:1)]: KASAN is configured to be deadly, halting the system.

GDB backtrace:

#0  Kernel::ProcessorBase<Kernel::Processor>::halt () at ./Kernel/Arch/riscv64/Processor.cpp:135
#1  0x000000200073e4bc in Kernel::AddressSanitizer::print_violation (address=address@entry=137473898456, size=<optimized out>, 
    size@entry=1, access_type=access_type@entry=Kernel::AddressSanitizer::AccessType::Load, shadow_type=Kernel::AddressSanitizer::ShadowType::Malloc, return_address=<optimized out>, return_address@entry=0x2000679e92 <memcpy(void*, void const*, size_t)+120>)
    at ./Kernel/Security/AddressSanitizer.cpp:90
#2  0x000000200073e5f0 in Kernel::AddressSanitizer::shadow_va_check (address=address@entry=137473898456, size=size@entry=1, access_type=access_type@entry=Kernel::AddressSanitizer::AccessType::Load, return_address=0x2000679e92 <memcpy(void*, void const*, size_t)+120>, 
    return_address@entry=0x200073e662 <__asan_load1_noabort(FlatPtr)+18>) at ./Kernel/Security/AddressSanitizer.cpp:244
#3  0x000000200073e662 in __asan_load1_noabort (address=address@entry=137473898456) at ./Kernel/Security/AddressSanitizer.cpp:299
#4  0x0000002000679e92 in memcpy (dest_ptr=0x2002159900 <initial_kmalloc_memory+755968>, src_ptr=<optimized out>, n=2999) at ./Kernel/Library/MiniStdLib.cpp:35
#5  0x0000002000686b58 in Kernel::UserOrKernelBuffer::read (this=this@entry=0x2003422a50, dest=dest@entry=0x2002159900 <initial_kmalloc_memory+755968>, offset=offset@entry=0, len=len@entry=4096) at ./Kernel/Library/UserOrKernelBuffer.cpp:52
#6  0x00000020000f4d48 in Kernel::UserOrKernelBuffer::read (this=0x2003422a50, dest=0x2002159900 <initial_kmalloc_memory+755968>, len=4096) at ././Kernel/Library/UserOrKernelBuffer.h:71
#7  0x00000020003624a4 in Kernel::UserOrKernelBuffer::read (this=this@entry=0x2003422a50, bytes=...) at ././Kernel/Library/UserOrKernelBuffer.h:76
#8  0x00000020003619f2 in Kernel::BlockBasedFileSystem::write_block (this=this@entry=0x2002153200 <initial_kmalloc_memory+729600>, index=..., data=..., count=<optimized out>, offset=<optimized out>, offset@entry=0, allow_cache=<optimized out>, allow_cache@entry=true)
    at ./Kernel/FileSystem/BlockBasedFileSystem.cpp:160
#9  0x0000002000362090 in Kernel::BlockBasedFileSystem::write_blocks (this=this@entry=0x2002153200 <initial_kmalloc_memory+729600>, index=..., count=<optimized out>, count@entry=1, data=..., allow_cache=allow_cache@entry=true) at ./Kernel/FileSystem/BlockBasedFileSystem.cpp:225
#10 0x0000002000392454 in Kernel::Ext2FS::flush_super_block (this=this@entry=0x2002153200 <initial_kmalloc_memory+729600>) at ./Kernel/FileSystem/Ext2FS/FileSystem.cpp:46
#11 0x000000200039cbc8 in Kernel::Ext2FS::initialize_while_locked (this=0x2002153200 <initial_kmalloc_memory+729600>) at ./Kernel/FileSystem/Ext2FS/FileSystem.cpp:134
#12 0x000000200041b438 in Kernel::FileBackedFileSystem::initialize (this=0x2002153200 <initial_kmalloc_memory+729600>) at ./Kernel/FileSystem/FileBackedFileSystem.cpp:23
#13 0x000000200057e73c in Kernel::create_and_initialize_filesystem_from_mount_file_and_description (file_backed_fs_list=..., mount_file=..., source_description=...) at ././AK/RefPtr.h:280
#14 0x00000020005818d2 in operator()<AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node> > (__closure=__closure@entry=0x2003422d70, list=...)
    at ./Kernel/FileSystem/VirtualFileSystem.cpp:152
#15 0x0000002000581d20 in Kernel::MutexProtected<AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node> >::with_exclusive<Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&)::<lambda(auto:193&)> >(struct {...}, const Kernel::LockLocation &) (this=this@entry=0x20021a5940 <initial_kmalloc_memory+1067328>, callback=..., location=...) at ././Kernel/Locking/MutexProtected.h:75
#16 0x0000002000581e40 in Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description (mount_file=..., source_description=...) at ./Kernel/FileSystem/VirtualFileSystem.cpp:155
#17 0x000000200033b288 in Kernel::StorageManagement::create_first_vfs_root_context (this=<optimized out>) at ./Kernel/Devices/Storage/StorageManagement.cpp:478
#18 0x000000200000151e in Kernel::init_stage2 () at ./Kernel/Arch/init.cpp:396

The fault always seems to happen while reading index 1096 of the superblock.

[spholz]

The superblock struct seems to be only 1024 bytes big. So we probably should not try to write a whole logical block to disk (or zero pad it?)

[supercomputer7]

I found the bug (as I told you on our Discord conversation). I will try to put a patch to this, but this will not be an easy fix.